Create a Key implementation for Cloud KMS

Created by: arussellsaw

We want to create an implementation of the interface described in #18049 (closed) making special note of the below section from the RFC:

One consideration from this design is key rotation, the ciphertext returned by the Encrypt function will need to encode metadata about the key name and version alongside the ciphertext, as at least for Cloud KMS you must specify the key version you want to use when decrypting a value. This should be simple enough to do via a base64 encoded blob of json or something along those lines, but the important thing is that each backend implementation can pick it’s own way to represent that metadata as long as it is encoded within the ciphertext string returned by the Encrypt call.

We should also be careful to make sure that the implementation will not error if given an already unencrypted value to decrypt, as we want the migration to be online, so might be reading unencrypted values for a while before the migration completes.